In determining whether agency CIOs have learned their lesson after the 2015 OPM data breach, Rep. Will Hurd, R-Texas, commended NASA CIO Renee Wynn on her “unprecedented” move to refuse an end-user service provider the authority to operate (ATO) due to a lack of knowledge about the potential risks of that service.
“If my signature’s on that, and there had been a breach the next day, then it would have been very obvious that I would not have done the job that I was asked to do on behalf of NASA and of the Federal government,” said Wynn. “I was supported by everybody for making this decision, and I would do it again. I wish that we hadn’t ever reached that point.”
“These are the kinds of decisions that we want to see more CIOs making,” said Hurd, chairman of the House Oversight’s Subcommittee on Information Technology. “That’s the whole reason we’re empowering you to make these types of decisions.”
Other agency CIOs have implemented policies to ensure that both full-time employees and contractors do not compromise the security of agency data. Contractor access to data has become a particular concern in light of the discovery that an NSA contractor took home 50 terabytes of agency data.
“We’re implementing now a new zero-trust capability for systems administrators, where access is revoked and renewed with each new administrative task,” said Robert Klopp, deputy commissioner and CIO of the Social Security Administration. “It basically allows us to give administrator rights to contractors, knowing that those rights will disappear within a day.”
Jonathan Alboum, CIO of the U.S. Department of Agriculture, said that he wants to reduce contractor complacency by creating an agency culture in which contracts are regularly up for competition.
“We don’t want to be locked into vendors,” Alboum said, explaining that vendors often think that once they get the contract they’re there to stay. “That sort of mentality breeds the opportunity for sometimes the contractors to feel like they’re employees and to take liberties.”
Alboum, Wynn, and Klopp all said that they would like greater procurement budget authority to change, move, or void a contract in the case of an unapproved ATO.
“I would like to have that authority,” said Wynn. “I believe that procurement clauses would need to be added for the benefit of the Federal government.”
“If we were able to have some sort of legal wording in there that forced vendors to do this as one more lever on top of them, that would be very valuable to us,” agreed Klopp, saying that it would give them greater leverage to ensure that vendors do what they’re contracted to in the time allotted.
Hurd expressed desire to provide agency CIOs with the necessary authority to take on these security concerns.
“CIOs are the focal point for everything information technology,” said Hurd. “Congress can’t hold agency CIOs accountable for what’s going on in IT if those CIOs don’t have the necessary authorities to get the job done.”